diff --git a/controllers/node.go b/controllers/node.go
index 400eb85f..a3058838 100644
--- a/controllers/node.go
+++ b/controllers/node.go
@@ -586,6 +586,7 @@ func createIngressGateway(w http.ResponseWriter, r *http.Request) {
 	logic.CreateRole(models.UserRolePermissionTemplate{
 		ID:        models.GetRAGRoleName(node.Network, host.Name),
 		NetworkID: models.NetworkID(node.Network),
+		Default:   true,
 		NetworkLevelAccess: map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope{
 			models.RemoteAccessGwRsrc: {
 				models.RsrcID(node.ID.String()): models.RsrcPermissionScope{
@@ -651,7 +652,7 @@ func deleteIngressGateway(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	go logic.RemoveNetworkRoleFromUsers(*host, node)
+	go logic.DeleteRole(models.GetRAGRoleName(node.Network, host.Name), true)
 
 	apiNode := node.ConvertToAPINode()
 	logger.Log(1, r.Header.Get("user"), "deleted ingress gateway", nodeid)
diff --git a/logic/user_mgmt.go b/logic/user_mgmt.go
index 9fa5a10e..ccb9d2b2 100644
--- a/logic/user_mgmt.go
+++ b/logic/user_mgmt.go
@@ -28,6 +28,10 @@ var CreateRole = func(r models.UserRolePermissionTemplate) error {
 	return nil
 }
 
+var DeleteRole = func(r models.UserRoleID, force bool) error {
+	return nil
+}
+
 var FilterNetworksByRole = func(allnetworks []models.Network, user models.User) []models.Network {
 	return allnetworks
 }
@@ -38,7 +42,6 @@ var IsGroupsValid = func(groups map[models.UserGroupID]struct{}) error {
 var IsNetworkRolesValid = func(networkRoles map[models.NetworkID]map[models.UserRoleID]struct{}) error {
 	return nil
 }
-var RemoveNetworkRoleFromUsers = func(host models.Host, node models.Node) {}
 
 var InitialiseRoles = userRolesInit
 var DeleteNetworkRoles = func(netID string) {}
diff --git a/pro/controllers/users.go b/pro/controllers/users.go
index bb893aaa..344bf45b 100644
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -591,7 +591,7 @@ func deleteRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("role is required"), "badrequest"))
 		return
 	}
-	err := proLogic.DeleteRole(models.UserRoleID(rid))
+	err := proLogic.DeleteRole(models.UserRoleID(rid), false)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
 		return
diff --git a/pro/initialize.go b/pro/initialize.go
index 68952676..c888e6b3 100644
--- a/pro/initialize.go
+++ b/pro/initialize.go
@@ -121,6 +121,7 @@ func InitPro() {
 	mq.UpdateMetricsFallBack = proLogic.MQUpdateMetricsFallBack
 	logic.GetFilteredNodesByUserAccess = proLogic.GetFilteredNodesByUserAccess
 	logic.CreateRole = proLogic.CreateRole
+	logic.DeleteRole = proLogic.DeleteRole
 	logic.NetworkPermissionsCheck = proLogic.NetworkPermissionsCheck
 	logic.GlobalPermissionsCheck = proLogic.GlobalPermissionsCheck
 	logic.DeleteNetworkRoles = proLogic.DeleteNetworkRoles
@@ -128,7 +129,6 @@ func InitPro() {
 	logic.FilterNetworksByRole = proLogic.FilterNetworksByRole
 	logic.IsGroupsValid = proLogic.IsGroupsValid
 	logic.IsNetworkRolesValid = proLogic.IsNetworkRolesValid
-	logic.RemoveNetworkRoleFromUsers = proLogic.RemoveNetworkRoleFromUsers
 	logic.InitialiseRoles = proLogic.UserRolesInit
 }
 
diff --git a/pro/logic/user_mgmt.go b/pro/logic/user_mgmt.go
index 98abf67f..e085aded 100644
--- a/pro/logic/user_mgmt.go
+++ b/pro/logic/user_mgmt.go
@@ -9,7 +9,6 @@ import (
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
-	"golang.org/x/exp/slog"
 )
 
 var ServiceUserPermissionTemplate = models.UserRolePermissionTemplate{
@@ -158,7 +157,7 @@ func DeleteNetworkRoles(netID string) {
 	roles, _ := ListNetworkRoles()
 	for _, role := range roles {
 		if role.NetworkID.String() == netID {
-			DeleteRole(role.ID)
+			DeleteRole(role.ID, true)
 		}
 	}
 }
@@ -325,7 +324,7 @@ func UpdateRole(r models.UserRolePermissionTemplate) error {
 }
 
 // DeleteRole - deletes user role
-func DeleteRole(rid models.UserRoleID) error {
+func DeleteRole(rid models.UserRoleID, force bool) error {
 	if rid.String() == "" {
 		return errors.New("role id cannot be empty")
 	}
@@ -337,7 +336,7 @@ func DeleteRole(rid models.UserRoleID) error {
 	if err != nil {
 		return err
 	}
-	if role.Default {
+	if !force && role.Default {
 		return errors.New("cannot delete default role")
 	}
 	for _, user := range users {
@@ -806,29 +805,6 @@ func IsNetworkRolesValid(networkRoles map[models.NetworkID]map[models.UserRoleID
 	return nil
 }
 
-func RemoveNetworkRoleFromUsers(host models.Host, node models.Node) {
-	users, err := logic.GetUsersDB()
-	if err == nil {
-		for _, user := range users {
-			// delete role from user
-			if netRoles, ok := user.NetworkRoles[models.NetworkID(node.Network)]; ok {
-				delete(netRoles, models.GetRAGRoleName(node.Network, host.Name))
-				user.NetworkRoles[models.NetworkID(node.Network)] = netRoles
-				err = logic.UpsertUser(user)
-				if err != nil {
-					slog.Error("failed to get user", "user", user.UserName, "error", err)
-				}
-			}
-		}
-	} else {
-		slog.Error("failed to get users", "error", err)
-	}
-	err = DeleteRole(models.GetRAGRoleName(node.Network, host.Name))
-	if err != nil {
-		slog.Error("failed to delete role: ", models.GetRAGRoleName(node.Network, host.Name), err)
-	}
-}
-
 // PrepareOauthUserFromInvite - init oauth user before create
 func PrepareOauthUserFromInvite(in models.UserInvite) (models.User, error) {
 	var newPass, fetchErr = logic.FetchPassValue("")